Automator: update common-files@master in istio/api@master (#2691)

Author: istio-testing

common/.commonfiles.sha

@@ -1 +1 @@
-f25cde919c2e8d0c2dfb9e465736ff92a9fa4de7
+811b64d6136aa6d85ea194b3cd1d378a82bf96e9

common/scripts/metallb.yaml

@@ -1,4 +1,4 @@
-# from https://github.com/metallb/metallb/tree/v0.9.3/manifests namespace.yaml and metallb.yaml
+# from https://github.com/metallb/metallb/blob/v0.12/manifests namespace.yaml and metallb.yaml
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -12,7 +12,6 @@ metadata:
   labels:
     app: metallb
   name: controller
-  namespace: metallb-system
 spec:
   allowPrivilegeEscalation: false
   allowedCapabilities: []
@@ -54,13 +53,10 @@ metadata:
   labels:
     app: metallb
   name: speaker
-  namespace: metallb-system
 spec:
   allowPrivilegeEscalation: false
   allowedCapabilities:
-    - NET_ADMIN
     - NET_RAW
-    - SYS_ADMIN
   allowedHostPaths: []
   defaultAddCapabilities: []
   defaultAllowPrivilegeEscalation: false
@@ -72,6 +68,8 @@ spec:
   hostPorts:
     - max: 7472
       min: 7472
+    - max: 7946
+      min: 7946
   privileged: true
   readOnlyRootFilesystem: true
   requiredDropCapabilities:
@@ -118,7 +116,6 @@ rules:
       - get
       - list
       - watch
-      - update
   - apiGroups:
       - ''
     resources:
@@ -158,6 +155,13 @@ rules:
       - get
       - list
       - watch
+  - apiGroups: ["discovery.k8s.io"]
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - ''
     resources:
@@ -207,6 +211,37 @@ rules:
       - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - create
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    resourceNames:
+      - memberlist
+    verbs:
+      - list
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    resourceNames:
+      - controller
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
@@ -268,6 +303,21 @@ subjects:
   - kind: ServiceAccount
     name: speaker
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: controller
+subjects:
+  - kind: ServiceAccount
+    name: controller
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -294,6 +344,7 @@ spec:
         - args:
             - --port=7472
             - --config=config
+            - --log-level=info
           env:
             - name: METALLB_NODE_NAME
               valueFrom:
@@ -307,45 +358,63 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
+            # needed when another software is also using memberlist / port 7946
+            # when changing this default you also need to update the container ports definition
+            # and the PodSecurityPolicy hostPorts definition
+            #- name: METALLB_ML_BIND_PORT
+            #  value: "7946"
             - name: METALLB_ML_LABELS
               value: "app=metallb,component=speaker"
-            - name: METALLB_ML_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
             - name: METALLB_ML_SECRET_KEY
               valueFrom:
                 secretKeyRef:
                   name: memberlist
                   key: secretkey
-          image: metallb/speaker:v0.9.3
-          imagePullPolicy: Always
+          image: gcr.io/istio-testing/metallb/speaker:v0.12.1
           name: speaker
           ports:
             - containerPort: 7472
               name: monitoring
-          resources:
-            limits:
-              cpu: 100m
-              memory: 100Mi
+            - containerPort: 7946
+              name: memberlist-tcp
+            - containerPort: 7946
+              name: memberlist-udp
+              protocol: UDP
+          livenessProbe:
+            httpGet:
+              path: /metrics
+              port: monitoring
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 1
+            successThreshold: 1
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /metrics
+              port: monitoring
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 1
+            successThreshold: 1
+            failureThreshold: 3
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
               add:
-                - NET_ADMIN
                 - NET_RAW
-                - SYS_ADMIN
               drop:
                 - ALL
             readOnlyRootFilesystem: true
       hostNetwork: true
       nodeSelector:
-        beta.kubernetes.io/os: linux
+        kubernetes.io/os: linux
       serviceAccountName: speaker
       terminationGracePeriodSeconds: 2
       tolerations:
         - effect: NoSchedule
           key: node-role.kubernetes.io/master
+          operator: Exists
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -374,26 +443,46 @@ spec:
         - args:
             - --port=7472
             - --config=config
-          image: metallb/controller:v0.9.3
-          imagePullPolicy: Always
+            - --log-level=info
+          env:
+            - name: METALLB_ML_SECRET_NAME
+              value: memberlist
+            - name: METALLB_DEPLOYMENT
+              value: controller
+          image: gcr.io/istio-testing/metallb/controller:v0.12.1
           name: controller
           ports:
             - containerPort: 7472
               name: monitoring
-          resources:
-            limits:
-              cpu: 100m
-              memory: 100Mi
+          livenessProbe:
+            httpGet:
+              path: /metrics
+              port: monitoring
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 1
+            successThreshold: 1
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /metrics
+              port: monitoring
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 1
+            successThreshold: 1
+            failureThreshold: 3
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
               drop:
                 - all
             readOnlyRootFilesystem: true
       nodeSelector:
-        beta.kubernetes.io/os: linux
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 65534
+        fsGroup: 65534
       serviceAccountName: controller
       terminationGracePeriodSeconds: 0